New data protection fines in Romania: The National Supervisory Authority for Personal Data Processing - ANSPDCP issues new fines for Elefant Online S.A.
The National Supervisory Authority for Personal Data Processing (“ANSPDCP”) has recently announced new fines applied in Romania as a result of the enforcement of the national data privacy legislation, namely Law no. 506/2004.
Elefant Online S.A. was sanctioned with a fine of LEI 10,000 for a personal data breach, namely for not proving the express and unequivocal prior consent for the transmission of commercial messages by e-mail (in breach of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector).
On 14 October 2019, ANSPDCP announced the finalizing of the investigation of Elefant Online S.A. noting the following:
- Elefant Online S.A. breached the provisions of art. 13, paragraph (1), letter (q), of Law no. 506/2004, on the processing of personal data and the protection of privacy in the electronic communications sector, which led to the application of a fine amounting to LEI 10,000;
According to the press release issued by ANSPDCP, the sanction was applied because the controller did not prove the explicit and unequivocal prior consent for sending commercial messages by e-mail in violation of the provisions regarding the unsolicited communications provided by art. 13 paragraph (1) letter (q) of Law no. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector).
Therefore, it was recommended that the controller Elefant Online S.A. take the necessary measures to comply with the provisions of art. 12 of Law no. 506/2004, for the purpose of sending commercial messages through electronic means of communication only with the express prior consent of the recipients. Also, the controller had not implemented adequate technical and organizational measures to ensure an adequate level of security and did not evaluate the risks involved with the data processing.
ANSPDCP applied this sanction following a complaint claiming that the controller Elefant Online S.A. sent unsolicited commercial messages to the petitioner on his e-mail address without his consent. Thus, although the petitioner had unsubscribed both on the controller's website and through the unsubscribe links in the newsletters, he continued to receive from Elefant Online S.A. unsolicited commercial messages on his e-mail address.
We have noticed recently an increased interest of ANSPDCP in respect of breaches of the provisions of Law no. 506/2004, especially when it comes to e-mail marketing activities or website cookies. This approach of the Romanian authority is also in line with the latest decisions of the European Court of Justice regarding e-mail marketing and cookies (Cause C-673/17 - Planet49 issued on October 1st 2019).